Firefox Password Manager flaw discovered

A new vulnerability in Firefox's Password Manager may give hackers access to …

A new flaw has been discovered in Firefox which could allow a hacker to gain access to passwords stored by the browser's Password Manager. The attack, called a reverse cross-site request, was initially exploited on MySpace. After viewing a strange looking action attribute in a MySpace page's form tag, a user by the name of Robert Chapin reported the following in Bugzilla:

Not only did Firefox fail to raise a warning, it auto-filled my www.myspace.com username and password into this form!! I hope anyone reading this realizes it is a security failure for the browser to auto-fill the membres.lycos.fr form with credentials from another website.

If executed successfully, a user would have their credentials automatically filled into the login fields and then be transported to another site. Worse yet, the fields may not even be visible to the user but still be completed due to the Password Manager's auto-fill behavior. Chapin has a detailed description of the attack including a proof of concept demonstration on his website.

Until a fix is released, security experts recommend disabling Firefox's Password Manager and installing the Master Password Timeout extension which "locks the master security device after a predefined period of inactivity to prevent unauthorized use of saved passwords." The vulnerability may also affect Internet Explorer; however, this has yet to be confirmed.